Total
1255 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3557 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2024-08-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2018-11116 | 1 Openwrt | 1 Openwrt | 2024-08-05 | 6.5 MEDIUM | 8.8 HIGH |
| OpenWrt mishandles access control in /etc/config/rpcd and the /usr/share/rpcd/acl.d files, which allows remote authenticated users to call arbitrary methods (i.e., achieve ubus access over HTTP) that were only supposed to be accessible to a specific user, as demonstrated by the file, log, and service namespaces, potentially leading to remote Information Disclosure or Code Execution. NOTE: The developer disputes this as a vulnerability, indicating that rpcd functions appropriately | |||||
| CVE-2018-7311 | 1 Privatevpn | 1 Privatevpn | 2024-08-05 | 9.0 HIGH | 8.8 HIGH |
| PrivateVPN 2.0.31 for macOS suffers from a root privilege escalation vulnerability. The software installs a privileged helper tool that runs as the root user. This privileged helper tool is installed as a LaunchDaemon and implements an XPC service. The XPC service is responsible for handling new VPN connection operations via the main PrivateVPN application. The privileged helper tool creates new VPN connections by executing the openvpn binary located in the /Applications/PrivateVPN.app/Contents/Resources directory. The openvpn binary can be overwritten by the default user, which allows an attacker that has already installed malicious software as the default user to replace the binary. When a new VPN connection is established, the privileged helper tool will launch this malicious binary, thus allowing an attacker to execute code as the root user. NOTE: the vendor has reportedly indicated that this behavior is "an acceptable part of their software. | |||||
| CVE-2019-12102 | 1 Kentico | 1 Kentico | 2024-08-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information | |||||
| CVE-2020-12831 | 1 Linuxfoundation | 1 Free Range Routing | 2024-08-04 | 4.3 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in FRRouting FRR (aka Free Range Routing) through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissions, leading to a possible information leak via tools/frr.in and tools/frrcommon.sh.in. NOTE: some parties consider this user error, not a vulnerability, because the permissions are under the control of the user before any sensitive information is present in the file | |||||
| CVE-2022-48257 | 1 Eternal Terminal Project | 1 Eternal Terminal | 2024-08-01 | N/A | 5.3 MEDIUM |
| In Eternal Terminal 6.2.1, etserver and etclient have predictable logfile names in /tmp. | |||||
| CVE-2024-5618 | 2024-07-19 | N/A | 9.9 CRITICAL | ||
| Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Apinizer Management Console: before 2024.05.1. | |||||
| CVE-2022-30527 | 1 Siemens | 1 Sinec Nms | 2024-07-09 | N/A | 7.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application assigns improper access rights to specific folders containing executable files and libraries. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges. | |||||
| CVE-2024-0949 | 2024-06-27 | N/A | 9.8 CRITICAL | ||
| Improper Access Control, Missing Authorization, Incorrect Authorization, Incorrect Permission Assignment for Critical Resource, Missing Authentication, Weak Authentication, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Talya Informatics Elektraweb allows Exploiting Incorrectly Configured Access Control Security Levels, Manipulating Web Input to File System Calls, Embedding Scripts within Scripts, Malicious Logic Insertion, Modification of Windows Service Configuration, Malicious Root Certificate, Intent Spoof, WebView Exposure, Data Injected During Configuration, Incomplete Data Deletion in a Multi-Tenant Environment, Install New Service, Modify Existing Service, Install Rootkit, Replace File Extension Handlers, Replace Trusted Executable, Modify Shared File, Add Malicious File to Shared Webroot, Run Software at Logon, Disable Security Software.This issue affects Elektraweb: before v17.0.68. | |||||
| CVE-2024-33499 | 2024-06-11 | N/A | N/A | ||
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected application assigns incorrect permissions to a user management component. This could allow a privileged attacker to escalate their privileges from the Administrators group to the Systemadministrator group. | |||||
| CVE-2024-30208 | 2024-06-11 | N/A | N/A | ||
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The "DBTest" tool of SIMATIC RTLS Locating Manager does not properly enforce access restriction. This could allow an authenticated local attacker to extract sensitive information from memory. | |||||
| CVE-2023-45205 | 1 Siemens | 1 Sicam Pas\/pqs | 2024-06-11 | N/A | 7.8 HIGH |
| A vulnerability has been identified in SICAM PAS/PQS (All versions >= V8.00 < V8.20). The affected application is installed with specific files and folders with insecure permissions. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges to `NT AUTHORITY/SYSTEM`. | |||||
| CVE-2023-38640 | 1 Siemens | 1 Sicam Pas\/pqs | 2024-06-11 | N/A | 4.4 MEDIUM |
| A vulnerability has been identified in SICAM PAS/PQS (All versions >= V8.00 < V8.22). The affected application is installed with specific files and folders with insecure permissions. This could allow an authenticated local attacker to read and modify configuration data in the context of the application process. | |||||
| CVE-2023-42861 | 1 Apple | 1 Macos | 2024-06-10 | N/A | 6.5 MEDIUM |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac. | |||||
| CVE-2024-21835 | 1 Intel | 1 Extreme Tuning Utility | 2024-06-07 | N/A | 7.8 HIGH |
| Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2021-22566 | 1 Google | 1 Fuchsia | 2024-05-29 | 7.5 HIGH | 9.8 CRITICAL |
| An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an unprivileged context. This can be leveraged by an attacker to bypass executability restrictions of kernel-mode pages from user-mode. An incorrect setting of PXN bits within mmu_flags_to_s1_pte_attr lead to unprivileged executable pages being mapped as executable from a privileged context. This can be leveraged by an attacker to bypass executability restrictions of user-mode pages from kernel-mode. Typically this allows a potential attacker to circumvent a mitigation, making exploitation of potential kernel-mode vulnerabilities easier. We recommend updating kernel beyond commit 7d731b4e9599088ac3073956933559da7bca6a00 and rebuilding. | |||||
| CVE-2023-7055 | 1 Phpgurukul | 1 Online Notes Sharing System | 2024-05-17 | N/A | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in PHPGurukul Online Notes Sharing System 1.0. Affected is an unknown function of the file /user/profile.php of the component Contact Information Handler. The manipulation of the argument mobilenumber leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-248742 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-4383 | 1 Escanav | 1 Escan Anti-virus | 2024-05-17 | N/A | 7.8 HIGH |
| A vulnerability, which was classified as critical, was found in MicroWorld eScan Anti-Virus 7.0.32 on Linux. This affects an unknown part of the file runasroot. The manipulation leads to incorrect execution-assigned permissions. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-237315. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-21819 | 1 Nvidia | 3 Jetson Linux, Jetson Nano, Jetson Nano 2gb | 2024-05-08 | 4.6 MEDIUM | 7.6 HIGH |
| NVIDIA distributions of Jetson Linux contain a vulnerability where an error in the IOMMU configuration may allow an unprivileged attacker with physical access to the board direct read/write access to the entire system address space through the PCI bus. Such an attack could result in denial of service, code execution, escalation of privileges, and impact to data integrity and confidentiality. The scope impact may extend to other components. | |||||
| CVE-2021-3631 | 2 Netapp, Redhat | 4 Ontap Select Deploy Administration Utility, Enterprise Linux, Libvirt and 1 more | 2024-04-01 | 3.3 LOW | 6.3 MEDIUM |
| A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity. | |||||